Java Security Flaw Is Repaired; Experts Still Recommend Disabling It

Days after the Department of Homeland Security said computer users should remove the latest versions of its Java software, Oracle Corp. says it has fixed the flaw, in a new update released Monday. As we reported Friday, hacking groups included the Java 7 vulnerability in new "exploit kits" this year.

Oracle provides instructions for updating to Java 7, update 11 on its website, saying the update raises the default security level for Java applets from Medium to High — which means that "the user is always warned before any unsigned application is run to prevent silent exploitation," the company says in its release notes.

But the experts who highlighted the Java 7 flaw say that even though it's fixed, users should beware, as other security problems could arise in the software.

News of the Java 7 flaw, which can allow hackers to take over a computer, worried many of the millions of people whose computers use the software. It also set off confusion, and calls for Oracle to "rewrite Java from scratch," as PC World reports.

Even as the U.S. Computer Emergency Readiness Team recommended updating Java 7 to combat the flaw, the agency also said Monday that "new Java vulnerabilities are likely to be discovered" — and people should still consider disabling Java in their browsers. Some experts say you should simply remove it entirely — or perhaps keep Java on only one browser, for use on specific sites.

Here's a quick reference of options, from disabling to uninstalling, and other factors:

Disable Java in Internet Explorer - instructions at Microsoft's site. Java 7.10 and 7.11 (the newest versions) allow users the easiest path to turning Java off. But fully disabling Java on Explorer can be complicated, leading many experts to recommend removing the program entirely.

Uninstall Java Completely

Many people say they can disable or delete Java completely, and not miss it. One of them is security expert Brian Krebs, who Monday praised Oracle for acting quickly — but still recommended uninstalling Java.

Oracle says you should uninstall older versions of Java, as keeping old versions "presents a serious security risk." Because of the way updates were once handled, you might have several out-of-date versions of Java on your machine.

That might present a problem to some folks, especially if they sometimes use business software that requires an older version. This situation most often leads people to keep one browser specifically for Java.

Java vs. Javascript: The Java 7 security flaw does not affect JavaScript. While they're both programming languages, they're not as closely related as their names imply.

Java, developed by Sun Microsystems, is far more complex and independent — and thus poses more risk if hackers find a way to misuse it. By contrast, JavaScript, developed by Netscape, is used mostly within HTML to make web pages more interactive.